| 'Love' Virus Assaults World Computers
By John Schwartz and David A. Vise An electronic virus disguised as a love letter raged around the globe yesterday, worming its way into potentially millions of personal computers and cutting the e-mail lifelines that serve individuals, businesses and governments. Overnight, the rogue program--carried inside an e-mail message whose subject line reads "I Love You"--swept through Asia, Europe and then the United States. The self-replicating virus clogged computer networks from Belgium's banking system to Britain's Parliament to the Pentagon and Ford Motor Co. Scientists at the Centers for Disease Control and Prevention in Atlanta and at the Food and Drug Administration were cut off. Computers at the International Monetary Fund, having hummed merrily through last month's street protests in Washington, were temporarily shut down in the face of the assault. "It's huge. It's an epidemic," said Sal Viveros, director of the McAfee anti-virus division of the software company Network Associates. Viveros estimated that the love-letter attack hit 80 percent of the computers in Sweden, 70 percent of the computers in Germany and a third of the machines in England and had more than twice the impact of last year's "Melissa" virus, which also affected computers worldwide. The particularly nasty bug served as yet another reminder of the fragile underpinnings of the "new economy." Official reports showed it had infected at least 300,000 computers worldwide by noon and was still proliferating madly, said Katy Fithen, who heads the federally funded Computer Emergency Response Team (CERT) Coordination Center at Carnegie-Mellon University. In many cases, the program--technically known as a worm--also deleted computer files containing music, pictures and many of the small programs that automate computer tasks. It also changed the starting page of the Internet Explorer software that many people use to view World Wide Web sites. Businesses and governments, finding themselves flooded with the e-mail messages and dealing with the resulting drag on their networks and damage to computer files, shut down systems. Prince William County offices spent an e-mail-less day as their tech experts worked their way through the data-flooded network. The worm either originated in the Philippines or was designed to look that way. The text of the software contains the addresses for several Philippine Web sites and the e-mail address "spyder@mail.com." A message within the code also declares, "I hate to go to school." E-mail sent to that address bounced back yesterday unanswered. The Clinton administration said the FBI has launched a criminal investigation of the incident. The FBI's New York field office, the bureau's largest, has the lead role in the investigation, administration sources said. In addition, the bureau's Newark and Charlotte field offices are on the case. The bureau's National Infrastructure Protection Center in Washington is coordinating the probe. Because the e-mail hijacks a user's electronic address book and therefore appears, in many cases, to come from a friend or colleague, it is likelier to be opened. "When you received it, the sender's name was somebody you know and trust, so you'd open it," said Thomas W. Lippman, vice president for communications at the World Wildlife Fund. Worse, the surprising "I Love You" subject line cuts through the defenses most Internet users have built up in the face of thousands of come-ons for cheap travel, stock tips and porn. "It's a good thing this didn't happen on Valentine's Day," quipped Michael Vatis, head of the FBI's infrastructure center. Computers with Microsoft's Outlook communications program were the worst hit because the worm sends a copy of itself to everyone in the recipient's Outlook address book--a strategy employed by Melissa. But Melissa sent itself only to the first 50 people in the address book; the "Love Bug" is far more promiscuous, sending itself out to every name on the list, including the large groups of addresses that many people now maintain for broadcasting messages to friends and family. The body of the message reads, "Kindly check the attached LOVELETTER coming from me." Attached to the message is the file "LOVE-LETTER-FOR-YOU.TXT.vbs." The software, hidden in the attachment, is most often activated when the user opens it. Along with its propensity to clog e-mail systems by replicating wildly, it also attempts to start a program that grabs any secret passwords directly from the machine's temporary memory--and may even redistribute them via e-mail. The Love Bug also seeks out programs in such formats as .jpg and .mp3--used for images and music--and replaces them with copies of the virus. It also replaces files written in Visual Basic and Java, software used to automate computer tasks and run programs such as those used to play online games and calculate mortgage rates on financial Web sites. Fithen, of CERT, said the program was able to spread itself through other means as well, traveling among computers on a network via shared files, over the Internet Relay Chat online discussion system and through programs that can be downloaded automatically by browser software. Copycat versions of the virus, with other messages, have already begun to appear, industry sources said. Computers running Microsoft Windows 95 and Windows NT can be taken over by the virus, Fithen said. It will not affect computers running variants of the Unix operating system or Apple's Macintosh computers, she said--though users of those operating systems still received numerous copies of the e-mail from other affected computers. Many sites hit by the virus--including The Washington Post and government computer contractor BTG Inc. of Fairfax--said they were not heavily affected by the Love Bug, but system administrators decided to shut down e-mail systems temporarily in order to get the problem under control, causing disruption. At the White House, spokesman Jake Siewert said "we just got a couple of the e-mails." System administrators there were able to adjust the network's security software to filter those messages out, Siewert said, without disturbing e-mail or Internet access. Many companies reported that the message had scarcely affected their operations at all. Employees at General Dynamics Corp. in Falls Church received copies of the infected message, but a spokeswoman said they had been warned not to open them by their system contractor, Computer Sciences Corp., and managed to avoid problems. Administration sources said FBI agents and foreign law enforcement authorities are pursuing the possible Philippines connection. The program has been nicknamed the "killer from Manila," but anti-virus experts do not hold out much hope that the tantalizing clues are anything more than a smoke screen--or that the culprit will be found. "You know what they call the dumb computer hackers? Defendants!" said Mark Rasch, a former federal computer crime prosecutor and computer security expert with Reston-based Global Integrity. "Generally you only catch the ones that screw up." The software itself is a wonder of versatility, said computer security expert Peter G. Neumann of SRI International. "It shows how incredibly vulnerable the whole system is," said Neumann, who publishes the influential Risks online newsletter. "There is no operating system security in the mass market or in applications software. The network is lame and the whole communications infrastructure is just riddled with vulnerabilities." Eugene Spafford, who heads the Center for Education and Research in Information Assurance and Security at Purdue University, suggested that many security problems stem from the software industry's tendency toward "feature bloat"--piling features onto programs that buyers won't actually use, but which render software less secure--and from the success Microsoft has enjoyed in the software market with programs like Outlook, so that a virus writer has vast numbers of highly susceptible machines. Truly effective fixes will have to be built into operating systems from the ground up, he said--and such a Herculean undertaking isn't likely until courts begin holding software companies responsible for security flaws. "The tobacco companies have just been claiming for years that they're giving their customers what they want," he said. "So have the software companies. What this has shown is that the users don't understand what they really need." The viral attack had many users scrambling yesterday to repair some of the damage they had done to others. George Cox, vice president of the private client group for Merrill Lynch & Co. in Seattle, said he was phoning all 50 people in his e-mail address book to warn them not to open the messages that went out yesterday morning under his name. "I've been calling people all over the country and telling them I really do love them, but not in that way," he said with a rueful chuckle. To Cox, there was a deeper message, however. "We're all so interconnected now," he said, "that something like that--which years ago would have been trivial--can shut things down for a while." Neumann of SRI joked that it shouldn't take a computer security geek to sense that something about yesterday's messages was amiss--just experience in the ways of the world and love. "We should know by now that if someone you don't know well tells you, 'I love you,' you should worry about whether he could give you a virus." Staff writers Greg Schneider and Ariana Eunjung Cha and washingtonpost.com staff writer Dan Froomkin contributed to this report. How the Virus Works The "I Love You" virus is a Visual Basic script (.vbs) file that launches when its icon is double-clicked. Here's a look at how it infects Windows machines. E-mail attachment LOVE-LETTER-FOR-YOU.TXT.vbs is launched by clicking on the file icon. Once executed, the virus modifies the Windows system. First, it copies itself by creating the * MSKernel32.vbs * LOVE-LETTER-FOR-YOU.TXT.vbs * Win32DLL.vbs. The virus then adds itself to the registry, a huge database of user preferences, hardware settings, and application and file information needed to run Windows. The virus adds the following files so that the virus will execute when Windows is restarted: * HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\ CurrentVersion\Run\ MSKernel32 * HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\ CurrentVersion\Run\ RunServices\Win32DLL The virus creates a new home page for Internet Explorer that links to an executable program called WIN-BUGFIX.exe. The file contains a program that will attempt to steal saved passwords and e-mail them to the virus writer. Additionaly, an HTML file called LOVE-LETTER-FOR-YOU.HTM is created. This file contains the virus code and will be sent whenever a user joins an Internet Relay Chat (IRC). The virus hijacks Microsoft Outlook and mass e-mails itself to everyone in the address book file. The message is sent with the virus as an attachment. Finally, the virus scans the infected system hard disk and overwrites any files with the extensions: .jpg, .jpeg, .mp3, .mp2, .vbs, .vbe, .jse, .css, .wsh, .sct, .hta. The virus deletes the original files and creates new files with the old file name and .vbs at the end. For example, a file called photo.jpg would become photo.jpg.vbs. If a user were to click on any of these new .vbs files, the virus would again launch its attack on the system. What to Do If you have anti-virus software on your home computer, updates are almost certain to be available at the company's Web site. If you don't have such software and the bug has hit, don't despair: The following sites offer evaluation versions of their software as well as updates to handle LoveLetter. www.f-secure.com http://vil.nai.com www.symantec.com www.antivirus.com www.finjan.com (for buisnesses) © 2000 The Washington Post Company |
||